diff options
author | netblue30 <netblue30@yahoo.com> | 2016-09-14 09:16:24 -0400 |
---|---|---|
committer | GitHub <noreply@github.com> | 2016-09-14 09:16:24 -0400 |
commit | 5fe95403128b577e4d773b574f498d98a3f6e6c2 (patch) | |
tree | 6780fbc7bb1b130f48a0640453bf3ac6b1f3f6ef | |
parent | Merge pull request #773 from manevich/x11 (diff) | |
parent | change error message (diff) | |
download | firejail-5fe95403128b577e4d773b574f498d98a3f6e6c2.tar.gz firejail-5fe95403128b577e4d773b574f498d98a3f6e6c2.tar.zst firejail-5fe95403128b577e4d773b574f498d98a3f6e6c2.zip |
Merge pull request #776 from manevich/x11
small --x11=block fixes
-rw-r--r-- | src/firejail/x11.c | 11 |
1 files changed, 8 insertions, 3 deletions
diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 29111d5ff..774294ff1 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c | |||
@@ -54,7 +54,11 @@ static int x11_check_xephyr(void) { | |||
54 | // check for X11 abstract sockets | 54 | // check for X11 abstract sockets |
55 | static int x11_abstract_sockets_present(void) { | 55 | static int x11_abstract_sockets_present(void) { |
56 | char *path; | 56 | char *path; |
57 | |||
58 | EUID_ROOT(); // grsecurity fix | ||
57 | FILE *fp = fopen("/proc/net/unix", "r"); | 59 | FILE *fp = fopen("/proc/net/unix", "r"); |
60 | EUID_USER(); | ||
61 | |||
58 | if (!fp) | 62 | if (!fp) |
59 | errExit("fopen"); | 63 | errExit("fopen"); |
60 | 64 | ||
@@ -594,9 +598,10 @@ void x11_block(void) { | |||
594 | if ((!arg_nonetwork && !cfg.bridge0.configured && !cfg.interface0.configured) | 598 | if ((!arg_nonetwork && !cfg.bridge0.configured && !cfg.interface0.configured) |
595 | && x11_abstract_sockets_present()) { | 599 | && x11_abstract_sockets_present()) { |
596 | fprintf(stderr, "ERROR: --x11=block specified, but abstract X11 socket still accessible.\n" | 600 | fprintf(stderr, "ERROR: --x11=block specified, but abstract X11 socket still accessible.\n" |
597 | "Additional setup required. To block abstract X11 socket you need either:\n" | 601 | "Additional setup required. To block abstract X11 socket you can either:\n" |
598 | " * use network namespace (--net=none, --net=...)\n" | 602 | " * use network namespace in firejail (--net=none, --net=...)\n" |
599 | " * add \"-nolisten local\" to xserver options (eg. /etc/X11/xinit/xserverrc)\n"); | 603 | " * add \"-nolisten local\" to xserver options\n" |
604 | " (eg. to your display manager config, or /etc/X11/xinit/xserverrc)\n"); | ||
600 | exit(1); | 605 | exit(1); |
601 | } | 606 | } |
602 | 607 | ||